Answered: [Security threat] tags are not sanitized in extra question field

Post date: 2020-07-01 00:44:51
Views: 319

Hey q2apro, I think you are testing the default q_view_extra($q_view); function.

The default function is still safe. But if you pull the content from the databse, it's not safe.

First, look! The script is stored in database.

database

Second, if create a function to pull that content form the datase:

public function q_item_extra($q_item)
{
$postidz = $q_item'raw']'postid'];
$extra = qa_db_read_one_value(qa_db_query_sub(
       'SELECT content FROM ^postmetas WHERE title="qa_q_extra" AND postid=#',
        $postidz
   ), true);
 
 //$extra = $q_item'extra']'content'];
 
        $this->output('My info:'.$extra);   
   
}

Here's the result:

test

I hope you'll get my point.

Please click Here to read the full story.
 
Other Top and Latest Questions:
Trump warns U.S. strikes on Iran could get ‘really bad’ next week with power plants targeted
Yum's Taco Bell removes select items, says no confirmed link to U.S. cyclosporiasis outbreak
Penpals for grown-ups?
X-Men '97: Weapon X, Lies, and DVDs
Morgan Stanley likes these stocks heading into second-quarter earnings
The AI boom just found two new winners: Goldman Sachs and JPMorgan Chase
Current and former employees sue Meta, alleging discrimination in using AI to conduct layoffs
Warren Buffett is accelerating his charitable donations with aim to give away Berkshire wealth by 2034
Why Europe is suddenly betting big on drones
Zipline adds ex-Tesla, Uber, Waymo execs to make drone delivery mainstream across U.S.